cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
408
Views
0
Helpful
4
Replies

ASA 5505 incoming traffic issue #2 (continue)

rashev_kamen
Level 1
Level 1

Is anybody can figure out why the port mapped traffic like (smtp,www,RDP) is not going to the server Zeus. I guess is something wrong with the AAA access-list.

Thanks, for the help!

hostname ASA

names

name 10.100.50.172 Zeus

!

interface Vlan1

nameif inside

security-level 100

ip address 10.100.86.1 255.255.0.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.yyy.15.10 255.255.255.248

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name foods.com

object-group service VDC

description Video Conferencing

service-object tcp source range 3230 3238 range 3230 3238

service-object tcp eq h323

service-object udp source range 3230 3258 range 3230 3258

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq 3389

access-list out_in extended permit object-group VDC any host xxx.yyy.15.10

access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq 3389

access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq smtp

access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq www

access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq pptp

access-list AAA extended permit object-group VDC host xxx.yyy.15.10 host 10.100

86.5

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.100.0.0 255.255.0.0

static (inside,outside) interface access-list AAA

access-group out_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.100.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 10.100.0.0 255.255.0.0 inside

telnet timeout 30

ssh timeout 5

console timeout 30

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

!

service-policy global_policy global

4 Replies 4

Farrukh Haroon
VIP Alumni
VIP Alumni

You are right, the ACL is from the perspective of the ASA, it should be the reverse:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043281

Regards

Farrukh

I have replaced the the statements in the AAA access-list with

#access-list AAA extended permit tcp host Zeus eq smtp host xxx.yyy.15.10 eq smtp

But it still not working. What I'm doing wrong?

Run the packet-tracer command and see what is going wrong.

Regards

Farrukh

Replace "xxx.yyy.15.10" with the word "interface" in your policy acl.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: